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Abstract 

A class of models is presented, in the form of continuation monads polymorphic for 
first-order individuals, that is sound and complete for minimal intuitionistic predicate 
logic. The proofs of soundness and completeness are constructive and the computa- 
tional content of their composition is, in particular, a /J-normalisation-by-evaluation 
program for simply typed lambda calculus with sum types. Although the inspiration 
comes from Danvy's type-directed partial evaluator for the same lambda calculus, the 
there essential use of delimited control operators (i.e. computational effects) is avoided. 
The role of polymorphism is crucial - dropping it allows one to obtain a notion of 
model complete for classical predicate logic. The connection between ours and Kripke 
models is made through a strengthening of the Double-negation Shift schema. 
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1. Introduction 

Although Kripke models are standard semantics for intuitionistic logic, there is 
as yet no (simple) constructive proof of their completeness when one considers all 
logical connectives. While Kripke's original proof [20] was classical, Veldman gave an 
intuitionistic one 12611 by using Brouwer's Fan Theorem to handle disjunction and the 
existential quantifier. To see what the computational content behind Veldman's proof 
is, one might consider a realisability interpretation of the Fan Theorem (for example 
but, all known realisers being defined by general recursion, due to the absence of 
an elementary proof of their termination, it is not clear whether one can think of the 
program using them as a constructive proof or not. 

On the other hand, a connection between normalisation-by-evaluation (NBE) |4] 
for simply typed lambda calculus, A~* , and completeness for Kripke models for the 
fragment {A, =>, V} has been made |0,[l5tl- We review this connection in Section [2] 
There we also look at Danvy's extension Jit] of NBE from A~* to A^ v , simply typed 
lambda calculus with sum types. Even though Danvy's algorithm is simple and ele- 
gant, he uses the full power of delimited control operators which do not yet have a 
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typing system that permits to understand them logically. We deal with that problem 
in Section [3] by modifying the notion of Kripke model so that we can give a proof 
of completeness for full intuitionistic logic in continuation-passing style, that is, with- 
out relying on having delimited control operators in our meta-language. In Section|4j 
we extract the algorithm behind the given completeness proof, a /3-NBE algorithm for 
/l^ v . In Section[5] we stress the importance of our models being dependently typed, by 
comparing them to similar models that are complete for classical logic llal . We there 
also relate our and Kripke models by showing that the two are equivalent in presence 
of a strengthening of the Double-negation Shift schema J24, 25]. We conclude with 
Section|6]by mentioning related work. 

The proofs of Section [3] have been formalised in the Coq proof assistant in [16], 
which also represents an implementation of the NBE algorithm. 



2. Normalisation-by-Evaluation as Completeness 

In U Berger and Schwichtenberg presented a proof of normalisation of A~* which 
does not involve reasoning about the associated reduction relation. Instead, they inter- 
pret /l-terms in a domain, or ambient meta-language, using an evaluation function, 

[-] : A -> D, 

and then they define an inverse to this function, which from the denotation in D directly 
extracts a term in j3rj-long normal form. The inverse function {, called reification, is 
defined by recursion on the type t of the term, at the same time defining an auxiliary 
function t, called reflection: 

\, T : D — > A-nf 

{ T := a h-» a r-atomic 
J,™ :=Sh to. r (S ■ f a) a-fresh 

t T : A-ne -> D 

t T := a i-> a r-atomic 

Here, S ranges over members of D, and we used i-» and ■ for abstraction and applica- 
tion at the meta-level. The subclasses of normal and neutral /l-terms are given by the 
following inductive definition. 

A-nf Br:- Aa 1 .r 17 \ e T /l-terms in normal form 

A-ne 3 e := a T \ e T ^' T r T neutral /l-terms 



It was a subsequent realisation of Catarina Coquand [6], that the evaluation algo- 
rithm [•] is also the one underlying the Soundness Theorem for minimal intuitionistic 
logic (with => as the sole logical connective) with respect to Kripke models, and that 
the reification algorithm I is also the one underlying the corresponding Completeness 
Theorem. 
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Definition 2.1. A Kripke model is given by a preorder (K, <) of possible worlds, a 
binary relation of forcing (-) lh (-) between worlds and atomic formulae, and a family 
of domains of quantification D(-), such that, 



for all w' > w, w lh X — > w' lh X, and 
for all w' > w, D(w) c D(w'). 

The relation of forcing is then extended from atomic to composite formulae by the 
clauses: 

w h A A B := w lh A and w lh Z? 
w lh A V B := w lh A or w lh B 
w lh A => Z? := for all w' > w, w' lh A => w' lh Z? 
w lh VxA(x) := for all w' > w and t e D(w'), w' lh A(f) 
w lh 3xA(x) := for some t E D(w), w lh A(f) 
w lh ± := false 
w lh T := true 

More precisely, the following well-known statements hold and their proofs have 
been machine-checked J3.Q for the logic fragment generated by the connectives {=> 
,A,V}. 

Theorem 2.2 (Soundness). IfY h p : A then, in any Kripke model, for any world w, if 
w lh T then w lh A. 

Proof. By a simple induction on the length of the derivation. □ 

Theorem 2.3 (Model Existence or Universal Completeness). There is a model H ( the 
"universal model") such that, given a world w ofH, ifw lh A, then there exists a term 
p and a derivation in normal form w h p : A. 

Proof. The universal model H is built by setting: 

• K to be the set of contexts T; 

• "<" to be the subset relation of contexts; 

• 'T lh X" to be the set of derivations in normal form T h nf X, for X an atomic 
formula. 

One then proves simultaneously, by induction on the complexity of A, that the two 
functions defined above, reify (X) and reflect (t), are correct, that is, that I maps a 
member of T lh A to a normal proof term (derivation) T h p : A, and that f maps a 
neutral term (derivation) F h e : A to a member of F lh A. □ □ 

Corollary 2.4 (Completeness (usual formulation)). If in any Kripke model, at any 
world w, w lh T implies w lh A, then there exists a term p and a derivation F h p : A. 
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Proof. If w It- F — » w lh A in any Kripke model, then also w lh F — > w lh A in the 
model 1A above. Since from the T-part of Theorem 12 . 3 1 we have that F lh F, then from 
the X-part of the same theorem there exists a term p such that F \- p : A. □ □ 

If one wants to extend this technique for proving completeness for Kripke models to 
the rest of the intuitionistic connectives, ±, V and 3, the following meta-mathematical 
problems appear, which have been investigated in the middle of the last century. At 
that time, Kreisel, based on observations of Godel, showed (Theorem 1 of II 1910 that 
for a wide range of intuitionistic semantics, into which Kripke's can also be fit: 

• If one can prove the completeness for the negative fragment of formulae (built 
using A, ±, =>, V, and negated atomic formulae, X => ±) then one can prove 
Markov's Principle. In view of Theorem 12.31 this implies that having a com- 
pleteness proof cover ± means being able to prove Markov's Principle - which 
is known to be independent of many constructive logical systems, like Heyting 
Arithmetic or Constructive Type Theory. 

• If one can prove the completeness for all connectives, i.e. including V and 3, 
then one can prove a strengthening!]] of the Double-negation Shift schema on 
Ej' -formulae, which is also independent because it implies Markov's Principle. 

We mentioned that Veldman l26ll used Brouwer's Fan Theorem to handle V and 3, 
but to handle ± he included in his version of Kripke models an "exploding node" 
predicate, \\- ± and defined w lh ± :- w lh x . We remark in passing that Veldman's 
modification does not defy Kripke original definition, but only makes it more regular: 
if in Definition ^. H one considers ± as an atomic formula, rather than a composite one, 
one falls back to Veldman's definition. 

One can also try to straightforwardly extend the NBE-Completeness proof to cover 
disjunction (the existential quantifier is analogous) and see what happens. If one does 
that, one sees that a problem appears in the case of reflection of sum, 1 AwB . There, 
given a neutral /l-term that derives A V B, one is supposed to prove that w lh A V B 
holds, which by definition means to prove that either w lh A or w lh B holds. But, 
since the input /l-term is neutral, it represents a blocked computation from which we 
will only be able to see whether A or B was derived, once we substitute values for the 
contained free variables that block the computation. 

That is where the solution of Olivier Danvy appears. In fl, h e used the full poweiQ 
of the delimited control operators shift (Sk.p) and reset (#) [10] to give the following 



A special case of D-DNS+ from pagefHl 
2 We say "full power" because his usage of delimited control operators is strictly more powerful than what 
is possible with (non-delimited) control operators like call/cc. Danvy's program makes non-tail calls with 
continuations, while in the CPS translation of a program that uses call/cc all continuation calls are tail calls. 
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normalisation-by-evaluation algorithm for A 



| TVtr := S 



r 
r 



D -> A-nf 

= a h-> a r-atomic 

r (5 • T T «) a-fresh 

n(l T S') ,ifS=inl-S" 
L2(i a S') , ifS =inr-S" 

A-ne -> D 

= a h-> a r-atomic 
= ch «S/f.case e of ■ (inl -(t T <Zi))II<Z2-#* • (inr •(f' 02))) a,-fresh 



We characterise explicitly normal and neutral /i-terms by the following inductive defi- 
nitions. 

A-nf 3 r := e T \ Aa T .r a \ i\r \ i\r 
A-ne 3 e := a T \ e T ^ a r T \ case e TV<r of 

Given Danvy's NBE algorithm, which is simple and appears correcfl does this 
mean that we can obtain a constructive proof of completeness for Kripke models if 
we permit delimited control operators in our ambient meta-language? Unfortunately, 
not, or not yet, because the available typing systems for them are either too complex 
(type-and-effect systems II 1(111 change the meaning of implication), or do not permit to 
type-check the algorithm as a completeness proof (for example the typing system from 
|1J, or the one from Chapter 4 of |[l7lD . 



3. Kripke-CPS Models and Their Completeness 

However, there is a close connection between shift and reset, and the continuation- 
passing style (CPS) translations ifTlll . We can thus hope to give a normalisation-by- 
evaluation proof for full intuitionistic logic in continuation-passing style. 

In this section we present a notion of model that we developed following this idea, 
by suitably inserting continuations into the notion of Kripke model. We prove that the 
new models are sound and complete for full intuitionistic predicate logic. 

Definition 3.1. An Intuitionistic Kripke-CPS model (IK-CPS) is given by: 

• a preorder (K, <) of possible worlds; 



a binary relation on worlds (-) \\\' labelling a world as exploding; 



3 For more details on the computational behaviour of shift/reset and the algorithm itself, we refer the 
reader to the original paper [8] and to Section 3.2 of tl7j . 
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• a binary relation (-) lb (-) of strong forcing between worlds and atomic formu- 
lae, such that 

for all W > w, w b X — > w' lb X, 

• and a domain of quantification D(w) for each world w, such that 

for all W > w, D(w) c D(w'). 

The relation (-) lb (— ) of strong forcing is extended from atomic to composite formulae 
inductively and by simultaneously defining I one I new relation, (non-strong) forcing: 



★ A formula A is forced in the world w (notation w h A) if, for any formula C, 



Vw' > w. Nw" > W . w" Ifj A — > w" 1^) -> W 1^; 

b A A B if w lh A and w lh B; 

lb A VBif w lh Aorw lh B; 

Ihj A B if for all w' > w, w lh A implies w lh B; 

lb VxA(jc) if for all w' > w and all t e D(w'), W lh A(f); 

• w lh s 3xA(x) if w lh A(f) for some t e D(w). 

Remark 3.2. Certain details of the definition have been put into boxes to facilitate the 
comparison carried out in Section [5] 

Lemma 3.3. Strong forcing and (non-strong) forcing are monotone in any IK-CPS 
model, that is, given w' > w, w lh s A implies w' lb A, andw lh A implies w' lh A. 

Proof. Monotonicity of strong forcing is proved by induction on the complexity of the 
formula, while that of forcing is by definition. The proof is easy and available in the 
Coq formalisation. □ 

Lemma 3.4. The following monadic operations are definable for IK-CPS models: 

"unit" 77(0 w lb A -> w lh A 

"bind" (■)*(■) (Vw' > w. w' lb A ^ W lh B) ^ vw lh A -> w lh B 



Proof. Easy, using Lemma 13.31 If we leave implicit the handling of formulae C, 
worlds, and monotonicity, we have the following procedures behind the proofs. 

77(a) = k i-> k • a 
(<p)*{a) = Ki->a-(fi}-*<f>-/3-K) 



□ 



□ 
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(a : A) E T 
r h a : A 



r h v : At r h q : A 2 T I- v : Ai A A 2 

A/ — ! - A' 



E 



F \- (p,q) : A\ AA 2 T h 7r,/;> : A; 

T h o : A ; 

— : v. 

T\-iip:Ai VA 2 

Ti-p:AiVA2 F, ai : Ai h ^1 : C F, 02 : A2 1- <?2 : C 
r 1- case p of (cii .q\ \\a1.q2) '■ C 

Y,a : A] \- p : A 2 T h p : A\ => A 2 T h ^ : A 



T h zta.p : Ai => A 2 r 1 h pq: A 2 



r h p : A(x) x-fresh T h p : VxA(x) 

^/ — ^ : — 77^ — Ve 



T h Ax.p : VxA(jc) r h pt : A(f) 

r h p : A(f) 



J/ 



T h (f,p) : 3xA(x) 

T h p : 3jcA(x) F, a : A(x) \- q : C jc-fresh 
r h dest p as {x.a) in q : C 



E 



Table 1: Proof term annotation for the natural deduction system of minimal intuition- 
istic predicate logic (MQC) 

With TableQ] we fix a derivation system and proof term notation for minimal intu- 
itionistic predicate logic. There are two kinds of variables, proof term variables a,b, . . . 

and individual (quantifier) variables x,y, Individual constants are denoted by t . We 

rely on these conventions to resolve the apparent ambiguity of the syntax: the abstrac- 
tion Aa.p is a proof term for implication, while Ax.p is a proof term for V; (p, q) is a 
proof term for A, while (f, q) is a proof term for 3. 

We supplement the characterisation of normal and neutral terms from page [5] 

A-nf 3 r :-e \ Aa.r \ i\r \ i 2 r \ (r\,r 2 ) \ Ax.r \ (f, r) 
A-ne 3 e :—a \ er \ case e of {ai.ri\\a 2 .r 2 ) \ n\e \ n 2 e \ et \ 
dest e as (x.a) in r 



7 



As before, let w It- T denote that all formulae from F are forced. 

Theorem 3.5 (Soundness). If V h p : A, then, in any world w of any IK-CPS model, if 
w lh T, then w It- A. 

Proof. This is proved by a simple induction on the length of the derivation. We give 
the algorithm behind it in section |4] □ 

Remark 3.6. The condition "for all formula C" in Definition 13. II is only necessary for 
the soundness proof to go through, more precisely, the cases of elimination rules for V 
and =>. The completeness proof goes through even if we define forcing by 

Vw' > w. (Vw" > W . w" lh, A — > w" -> W lt-1 . 

Definition 3.7. The Universal IK-CPS model H is obtained by setting: 

• K to be the set of contexts T of MQC; 

• r<r'iffrcr'; 

• r \V S X iff there is a derivation in normal form of F h X in MQC, where X is an 
atomic formula; 

• r iff there is a derivation in normal form of T I- C in MQC; 

• for any w, D(w) is a set of individuals for MQC (that is, D(-) is a constant 
function from worlds to sets of individuals). 

( - ) lb (-) is monotone because of the weakening property for intuitionistic "h". 

Remark 3.8. The difference between strong forcing "Its" and the exploding node pred- 
icate "Ihj" in 11 is that the former is defined on atomic formulae, while the latter is 
defined on any kind of formulae. 

Lemma 3.9. We can also define the monadic "run" operation on the universal model 
H, for atomic formulae X: 

p{-) : w lh X w \k X. 
Proof. By setting C .- A and applying the identity function. □ 

Theorem 3.10 (Completeness for K). For any closed formula A and closed context T, 
the following hold for 1/: 

ThA^{p\Thp:A} {"reify") (1) 

F h e : A — > T lh A ( "reflect") (|) 

Moreover, the target of (I) is a normal term, while the source of ('I) is a neutral term. 
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Proof. We prove simultaneously the two statements by induction on the complexity of 
formula A. 

We skip writing the proof term annotations, and write just F h A instead of "there 
exists p such that V \- p : A", in order to decrease the level of detail. The algorithm 
behind this proof that concentrates on proof terms is given in Section[4] 

Base case. (J,) is by "run" (Lemma [3.9l l, (T) is by "unit" (Lemma f3.4l i. 

Induction case for A. Let F Ih A A B i.e. 

vc. vn > r. «yr" > r. r" ih a and r" ih b -> r" hC)-»r'FC). 

We apply this hypothesis by setting C := A AB and P := F, and then, given F" > T s.t. 
F" Ih A and F" Ih B, we have to derive T" I- A A B. But, this is immediate by applying 
the A/ rule and the induction hypothesis (X) twice, for A and for B. 

Let r h A A B be a neutral derivation. We prove F I h A A B by applying unit (Lemma 
|3.41 l, and then applying the induction hypothesis (X) on a], A^, and the hypothesis. 

Induction case for V. Let F Ih A V B i.e. 

vc. VP > r. ((vr" > P. r" ih a or r" ih b ^ r" h c) -> P 1- c) . 

We apply this hypothesis by setting C := A V B and F' := F, and then, given T" > F 
s.t. F" Ih A or F" Ih B, we have to derive T" h A V B. But, this is immediate, after a 
case distinction, by applying the rule and the induction hypothesis (X). 

We now consider the only case (besides | 3xA W below) where using shift and reset, 
or our Kripke-style models, is crucial. Let r h A V B be a neutral derivation. Let a 
formula C and T' > T be given, and let 

VF" > P. (P' Ih A or F" Ih B -> P' h C) . (#) 

We prove T' h C by the following derivation tree: 

AeA,P BeB,r 

Ax - — — Ax 



A,F' h A " B,F'hB ^ 

(T) — ■ (T) 

A,P Ih A (U B,T' Ih B U 
inl 



Ti-AVB A,T' Ih AorA,P Ih B " B, V Ih A or B, T' Ih B 

(#) TTTT, -F, (#) 



PhAVB A,PhC B,PhC 
v £ 

Induction case for =>. Let F Ih A B i.e. 

VC. VP > F. ((VF" > P. (VF 3 > F". F 3 Ih A -> F 3 Ih B) -» F" h C) -» P h C) . 

We apply this hypothesis by setting C := A => B and T' := T, and then, given F" > F 
s.t. 

VF 3 > r". F 3 Ih A — > F 3 Ih B (#) 

we have to derive F" h A => B. This follows by applying (=>/), the IH for(X), then (#), 
and finally the IH for (f) with the Ax rule. 

Let F h A => B be a neutral derivation. We prove r Ih A => B by applying unit 
(Lemma [3.41 >. and then, given F' > T and T' Ih A, we have to show that F' Ih B. This is 
done by applying the IH for (|) on the (=>e) rule, with the IH for (X) applied to T' Ih A. 
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Induction case for V. We recall that the domain function D(-) is constant in the 
universal model 11. Let F Ih VxA(x) i.e. 

vc. vr > r. ((vr" > r. (vr 3 > r". vr e d. r 3 ih a(*)) -» r" hC)->rhC). 

We apply this hypothesis by setting C := VxA(x) and P := F, and then, given T" > F 
s.t. 

Vr 3 > T", Vr e D. F 3 Ih A(f) (#) 

we have to derive F" h Vx4(;t). Fhis follows by applying (V/), the IH for(|), and then 
(#). 

Let F h VxA(x) be a neutral derivation. We prove F Ih VxA(x) by applying unit 
(Lemma [3.4| ), and then, given F' > F and t e D, we have to show that P Ih A(f). This 
is done by applying the IH for (t) on the (Vg) rule and the hypothesis F h VxA(x). 

Induction case for 3. Let F Ih 3xA(x) i.e. 

VC. VP > F. ((VP' > P. (3f e D. F" Ih A(f)) F" h C) -> P I- C) . 

We apply this hypothesis by setting C :- 3xA{x) and F' := F, and then, given F" > F 
s.t. 3t e D. T" Ih A(f), we have to derive F" h 3xA(x). This follows by applying (3/) 
with t e D, and the IH for(|). 

Let F h 3xA(x) be a neutral derivation. Let a formula C and F' > F be given, and 

let 

VF" > P. (3r e D.F" Ih A(f) F" h C) . (#) 
We prove F' h C by the following derivation tree: 

A(x) e A(x),F' 

Ax 

A(x), P h A(x) 
F h 3xA(x) A(x),P W-AjxY (T) 
P h 3xA(x) A(x), P h C (#) x-fresh 



The result of reification is in normal form. By inspection of the proof. □ □ 



4. Normalisation by Evaluation in IK-CPS Models 

In this section we give the algorithm that we manually extracted from the Coq 
formalisation, for the restriction to the interesting propositional fragment that involves 
implication and disjunction. The algorithm extracted automatically by Coq contains 
too many details to be instructive. 
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The following evaluation function for /l^ v -terms is behind the proof of Theo- 



rem 



[rhp:A] w | hr :wlhA 



:= p(a) 

:= K h> /f • (or h> Ip]p, aMa ) = ?7 • (a h-» [[plp, flM „) 
:=*"-> Mp • (0 ^ <f> ■ kip ■ *) 
:= * *-> * ■ (inl • blp) = *7 ' ( inl ' Wp) 
(inr -blp) = *7 " ( inr ' Wp) 

[?i] Wl h«i • ^ if 7 = inl -a 
k fe] P , fl2 M>/s • « if y = inr 78 

The following is the algorithm behind Theorem 13. 101 



Wp 
ptf./?]p 

Mp 
[tlrfp 

[t2P]p 

[case /? of (ai.9i||a 2 .92)lp ■- * >-> \p\ P • Ir 



if : T Ih A -> {p e A-nf | T \- p : A} 
Tr : {e e A-ne | T h e : A] -> T Ih A 



if 

Tf 

1 A=>B 
t A=>B 

Ir 



I AvB 



= a i-» /i ■ a 
= e 1— > 77 • e 

^■(^^- irUO*' tr,a:A «)) 

= (a i-»t? («(ir«))) 

ii lp a if y = inl-. 



X-atomic 
X-atomic 
a-fresh 



:=n \y» \ ,s 



nifP ify = inr-j8 



|^ vB : - e )-> /c 1-) case e of (ai./c ■ (inl - tf fl ,A fl i) 11^2-* ' ( mr ' tra 2 :B fl 2)) a,-fresh 



5. Variants and Relation to Kripke Models 

5.7. "Call-by-value" Models 

Defining forcing on composite formulae in Definition 13.11 proceeds analogously 
to defining the call-by-name CPS translation [23], or Kolmogorov's double-negation 
translation [25, 22]. A definition analogous to the "call-by-value" CPS translation 1123 1 
is also possible, by defining (non-strong) forcing by: 

• w lb A A B if w lb A and w lb B; 

• w lb A V B if w lb A or w lb B; 

• w lb A => B if for all W > w, w lb A implies w Ih B; 

• w lb VxA(jc) if for all w' > w and all t e D(w'), w' Ih A(f); 
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• w lb 3x.A(x) if w lb A(t) for some t e D(w). 

One can prove this variant of IK-CPS models sound and complete, similarly to 
Section[3] except for two differences. Firstly, in the statement of Soundness, one needs 
to put w lb T in place of w h F. Secondly, due to the first difference, the composition 
of soundness of completeness that gives normalisation works for closed terms only. 

5.2. Classical Models 

In |S F7|,ll8t], we presented the following notion of model which is complete for 



classical predicate logic and represents an NBE algorithm for it. 
Definition 5.1. A Classical Kripke-CPS model ( CK-CPS), is given by: 
• a preorder (K, <) of possible worlds; 

relation on worlds (-) lb_ labelling a world as exploding; 



unary 



• a binary relation (-) lb (-) of strong forcing between worlds and atomic formu- 
lae, such that 

for all w' > w, w b X — » w' lb X, 

• and a domain of quantification D(w) for each world w, such that 

for all W > w, D(w) c D(w'). 

The relation (-) 1^ (— ) of strong forcing is extended from atomic to composite formulae 



inductively and by simultaneously defining two new relations, refutation and (non- 
strong) forcing: 

• A formula A is refuted in the world w (notation w : A lh) if any world W > w, 
which strongly forces A, is exploding; 

• A formula A is forced in the world w (notation w lh A) if any world W > w, 
which refutes A, is exploding; 

• w lh, A A B if w lh A and w lh B; 

• w lb A V B if w lh A or w lh B; 

• w lh A => B if for all w' > w, w lh A implies w lh B; 

• w lb Sx.A(x) if for all w' > w and all t e D(w'), w' lh A(t); 

• w lb 3x.A(x) if w lh A(f) for some t e D(w). 

The differences between Definition 13. II and Definition 15. II are marked with boxes. 
We can also present CK-CPS using binary exploding nodes, by defining w lh s ± :- 
VC.w Ih^. Then, we get the following statement of forcing in CK-CPS, 

Vw' > w. (Vw" > W. w" b A -> V/.w" Ihi) VO.vv' lh?, 
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versus forcing in IK-CPS, 



VC. Vw' > w. (Vw" > w'. w" lb A -> w" 1^) -> w' lM[ . 

The difference between forcing in the intuitionistic and classical models is, then, 
that: 1) the dependency on C is necessary in the intuitionistic case, while it is optional 
in the classical case; 2) the continuation (the internal implication) in classical forc- 
ing is allowed to change the parameter C upon application, whereas in intuitionistic 
forcing the parameter is not local to the continuation, but to the continuation of the 
continuation. 

At this point we also remark that the use of dependent types to handle the parameter 
C is determined by the fact that we formalise our definitions in Intuitionistic Type The- 
ory. Otherwise, the quantification VC. - is quantification over first-order individuals, 
for example natural numbers. 

5.3. Kripke Models 

Let A(n) be an arbitrary first-order formula and let X(n, m) be a S'j'-formula. Denote 
the following arithmetic schema by (D-DNS + ) for "dependent Double-negation Shift 
schema, strengthened". 

Vm. V«i > n. (V«2 - n\. Ain-i) — > X{ri2,m)) — > X(ri\,m) 
A(n) 

Proposition 5.2. Let 7C = (K, <, D, N, be any structure such that N denotes forcing 
in the standard Kripke model arising from %, and Ih denotes (non-strong) forcing in 
the IK-CPS model arising from the same %. 

Then, in the presence of(D-DNS + ) at meta-level, for all formula A, and any w e K, 

w\= A < — > w Ih A. 

Proof. The proof is by induction on A, using (D-DNS + ) to prove, 

VC. Vwi > w. (Vw2 > W\. (w2 Ih A or W2 Ih B) -> w 2 1^)) ^ wi Ihx 
w Ih A or w Ih B 

needed in the case for disjunction, and similarly for the existential quantifier. □ 

Corollary 5.3. Completeness of full intuitionistic predicate logic with respect to stan- 
dard Kripke models is provable constructively, in the presence ofD-DNS + . 

Remark 5.4. It is the other direction of this implication that Kreisel proved, for a spe- 
cialisation of D-DNS + . (Section |21) To investigate more precisely whether D-DNS + 
captures exactly constructive provability of completeness for Kripke models remains 
future work. 
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6. Conclusion 

We emphasised that our algorithm is /?-NBE, because were we able to identify firj- 
equal terms of through our NBE function, we would have solved the problem of 
the existence of canonical 77-long normal form for A^ v . However, as shown by |[l4ll . 
due to the connection with Tarski's High School Algebra Problem Jill^l, the notion 
of such a normal form is not finitely axiomatisable. If one looks at examples of /l _iV - 
terms which are /^-equal but are not normalised to the same term by Danvy's (and 
our) algorithm, one can see that in the Coq type theory these terms are interpreted as 
denotations that involve commutative cuts. 

In recent unpublished work H, Danvy also developed a version of his NBE algo- 
rithm directly in CPS, without using delimited control operators. 

In |01, Barral gives a program for NBE of /l-calculus with sums by just using the 
exceptions mechanism of a programming language, which is something a priori strictly 
weaker than using delimited control operators. 

In HI], Altenkirch, Dybjer, Hofmann, and Scott, give a topos theoretic proof of 
NBE for a typed /i-calculus with sums, by constructing a sheaf model. The connection 
between sheaves and Beth semantical is well known. While the proof is constructive, 
due to their use of topos theory, we were unable to extract an algorithm from it. 

In I2H1 . Macedonio and Sambin present a notion of model for extensions of Basic 
logic (a sub-structural logic more primitive than Linear logic), which, for intuitionistic 
logic, appears to be related to our notion of model. However, they demand that their 
set of worlds K be saturated, while we do not, and we can hence also work with finite 
models. 

In H3I1 . Filinski proves the correctness of an NBE algorithm for Moggi's compu- 
tational /l-calculus, including sums. We found out about Filinski's paper right before 
finishing our own. He also evaluates the input terms in a domain based on continua- 
tions. 
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